dws: only allow owner to create persistent #215
Conversation
|
Who is meant by the "instance owner" here? I'm not sure I follow how this is intended to work. |
|
It's the userid that is running the flux instance. For the system instance it's the |
|
In theory I could also restrict it to |
|
@garlick do you have any tips for how I could submit a job as another user in the testsuite to make sure it's rejected? |
jameshcorbett
force-pushed
the
instance-owner-persistent
branch
from
35febad
to
e157674
Compare
|
It's unfortunately a bit complicated to fake that, but have a look at https://github.com/flux-framework/flux-core/blob/master/t/t2404-job-exec-multiuser.t |
|
Note that if you are using test execution then it is a lot less complicated. Just take the submit_as_alternate_user()
{
FAKE_USERID=42
flux run --dry-run "$@" | \
flux python ${SHARNESS_TEST_SRCDIR}/scripts/sign-as.py $FAKE_USERID \
>job.signed
FLUX_HANDLE_USERID=$FAKE_USERID \
flux job submit --flags=signed job.signed
}See t2400-job-exec-test.t for example of usage. This requires a flux-core compiled with flux-security, so you'll want to use a prereq as in that test as well. |
jameshcorbett
force-pushed
the
instance-owner-persistent
branch
from
e157674
to
06ac9a2
Compare
src/modules/coral2_dws.py
Outdated
| @@ -284,6 +285,12 @@ def create_cb(handle, _t, msg, api_instance): | |||
| raise TypeError( | |||
| f"Malformed dw_directives, not list or string: {dw_directives!r}" | |||
| ) | |||
| for directive in dw_directives: | |||
| if not unrestricted_persistent and "create_persistent" in directive: | |||
| if userid != os.getuid(): | |||
There was a problem hiding this comment.
If this is running at the system instance level you could call getattr on security.owner. But up to you
There was a problem hiding this comment.
That's a good point! Probably more robust too. I force-pushed to make it do that instead. Setting MWP.
jameshcorbett
force-pushed
the
instance-owner-persistent
branch
from
06ac9a2
to
8bb0c45
Compare
Problem: until futher work is done to support various usage policies for persistent file systems, it is sometimes desirable to restrict their creation to the instance owner. Reject jobs with `create_persistent` strings unless the job was submitted by the instance owner. Add a flag to disable the check.
Problem: to test the UID enforcement of the create_persistent restrictions, it would be helpful to submit a job as another user. Copy over the sign-as.py script from flux-core.
Problem: there are no tests than non-owners' create_persistent jobs are rejected. Add a test.
jameshcorbett
force-pushed
the
instance-owner-persistent
branch
from
8bb0c45
to
95b2143
Compare
Problem: until futher work is done to support various usage policies for persistent file systems, it is sometimes desirable to restrict their creation to the instance owner.
Reject jobs with
create_persistentstrings unless the job was submitted by the instance owner.Add a flag to disable the check.
Fixes #205.